December 3, 2022

Volume XII, Number 337

Advertisement

December 02, 2022

Subscribe to Latest Legal News and Analysis

December 01, 2022

Subscribe to Latest Legal News and Analysis

November 30, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

Cybersecurity Risks with Connected Health Devices

Cybersecurity vulnerability is becoming an increasing concern as medical devices are becoming more connected to the Internet, hospital networks, and other medical devices. As we previously reported, FDA has increasingly focused on promoting cybersecurity, recognizing that compromised medical devices can pose a risk to patient health and safety and to the confidentiality of personal medical information. In addition, the National Institute of Standards and Technology (NIST) has recently provided a draft practice guide for securing health records maintained on mobile devices.

FDA recently warned of cybersecurity risks to Hospira’s Symbiq Infusion System, a computerized pump designed for the continuous delivery of general infusion therapy. According to FDA, Hospira’s infusion pump can be accessed remotely through a hospital’s network, allowing an unauthorized user to control the device and change the dosage the pump delivers. Given this risk, FDA issued an alert to health care facilities to “strongly encourage” them to discontinue use of Hospira’s pumps and transition to alternative infusions systems. The agency acknowledged, however, that it was not aware of any adverse events or unauthorized access of Hospira’s pump in a health care setting. FDA recommends health care facilities follow the good cybersecurity hygiene practices outlined in the FDA Safety Communication Cybersecurity for Medical Devices and Hospital Networks, posted in June 2013.

Over the past few years, the agency’s efforts in promoting cybersecurity have led it to collaborate with other agencies and organizations. Last September, FDA announced its partnership with the National Health Information Sharing & Analysis Center, Inc. (NH-ISAC), a non-profit organization focused on advancing health sector cybersecurity. The collaboration, formalized through a Memorandum of Understanding, includes a goal to develop a shared risk-assessment framework to help the health care industry better assess and mitigate cybersecurity risks that affect their products.

NIST is also directing its efforts toward promoting cybersecurity. Recognizing that use of mobile devices to store, access, and transmit electronic health records is outpacing the privacy and security protections on those devices, NIST recently issued a draft practice guide, “Securing Electronic Health Records on Mobile Devices.” This is the first in a planned series of publications on improving cybersecurity across industries through the use of standards-based, commercially available or open-source tools.

According to NIST, medical identity theft costs billions of dollars each year, and altered medical information can put a person’s health at risk through misdiagnosis, delayed treatment, or incorrect prescriptions. Indeed, patient information collected, stored, processed, and transmitted on mobile devices is especially vulnerable to attack, NIST reports.

Packaged as a “How To” guide, the draft practice guide provides organizations with best practices for securing health care data on mobile devices. Specifically, the guide describes the best practices in a hypothetical scenario in which a primary care physician uses a mobile device for routine, recurring activities such as sending a referral containing a patient’s clinical information to another physician, or sending an electronic prescription to a pharmacy. NIST is taking public comments on the practice guide through September 25.

 

 

© 2022 Covington & Burling LLPNational Law Review, Volume V, Number 223
Advertisement
Advertisement
Advertisement

About this Author

Bianca Nunes, Covington Burling, food drug lawyer
Associate

Bianca Nunes is an associate in the firm’s Washington, DC office, where she is a member of the Food and Drug practice group.  She advises food, pharmaceutical, and biotechnology companies on a variety of regulatory and compliance issues.

Representative Matters

  • Advised food companies on compliance with FDA’s menu and vending machine labeling requirements.
  • Counseled clients on the Dietary Guidelines Advisory Committee’s (DGAC) recommendations for the 2015 Dietary Guidelines for Americans and drafted comments to the DGAC.
  • Advised...
202-662-5149
Advertisement
Advertisement
Advertisement